tee: Refactor TEE subsystem header files

Since commit 25559c22cef8 ("tee: add kernel internal client interface"),
it has been a common include/linux/tee_drv.h header file which is shared
to hold TEE

tee: Refactor TEE subsystem header files

Since commit 25559c22cef8 ("tee: add kernel internal client interface"),
it has been a common include/linux/tee_drv.h header file which is shared
to hold TEE subsystem internal bits along with the APIs exposed to the
TEE client drivers. However, this practice is prone to TEE subsystem
internal APIs abuse and especially so with the new TEE implementation
drivers being added to reuse existing functionality.

In order to address this split TEE subsystem internal bits as a separate
header file: include/linux/tee_core.h which should be the one used by
TEE implementation drivers. With that include/linux/tee_drv.h lists only
APIs exposed by TEE subsystem to the TEE client drivers.

Signed-off-by: Sumit Garg <[email protected]>
Signed-off-by: Balint Dobszay <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>

show more ...

tee: amdtee: fix use-after-free vulnerability in amdtee_close_session

There is a potential race condition in amdtee_close_session that may
cause use-after-free in amdtee_open_session. For instance,

tee: amdtee: fix use-after-free vulnerability in amdtee_close_session

There is a potential race condition in amdtee_close_session that may
cause use-after-free in amdtee_open_session. For instance, if a session
has refcount == 1, and one thread tries to free this session via:

kref_put(&sess->refcount, destroy_session);

the reference count will get decremented, and the next step would be to
call destroy_session(). However, if in another thread,
amdtee_open_session() is called before destroy_session() has completed
execution, alloc_session() may return 'sess' that will be freed up
later in destroy_session() leading to use-after-free in
amdtee_open_session.

To fix this issue, treat decrement of sess->refcount and removal of
'sess' from session list in destroy_session() as a critical section, so
that it is executed atomically.

Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Cc: [email protected]
Signed-off-by: Rijo Thomas <[email protected]>
Reviewed-by: Sumit Garg <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>

show more ...

tee: amdtee: fix race condition in amdtee_open_session

There is a potential race condition in amdtee_open_session that may
lead to use-after-free. For instance, in amdtee_open_session() after
sess->

tee: amdtee: fix race condition in amdtee_open_session

There is a potential race condition in amdtee_open_session that may
lead to use-after-free. For instance, in amdtee_open_session() after
sess->sess_mask is set, and before setting:

sess->session_info[i] = session_info;

if amdtee_close_session() closes this same session, then 'sess' data
structure will be released, causing kernel panic when 'sess' is
accessed within amdtee_open_session().

The solution is to set the bit sess->sess_mask as the last step in
amdtee_open_session().

Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Cc: [email protected]
Signed-off-by: Rijo Thomas <[email protected]>
Acked-by: Sumit Garg <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>

show more ...

tee: amdtee: fix an IS_ERR() vs NULL bug

The __get_free_pages() function does not return error pointers it returns
NULL so fix this condition to avoid a NULL dereference.

Fixes: 757cc3e9ff1d ("tee:

tee: amdtee: fix an IS_ERR() vs NULL bug

The __get_free_pages() function does not return error pointers it returns
NULL so fix this condition to avoid a NULL dereference.

Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Rijo Thomas <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>

show more ...

tee: amdtee: unload TA only when its refcount becomes 0

Same Trusted Application (TA) can be loaded in multiple TEE contexts.

If it is a single instance TA, the TA should not get unloaded from AMD

tee: amdtee: unload TA only when its refcount becomes 0

Same Trusted Application (TA) can be loaded in multiple TEE contexts.

If it is a single instance TA, the TA should not get unloaded from AMD
Secure Processor, while it is still in use in another TEE context.

Therefore reference count TA and unload it when the count becomes zero.

Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Reviewed-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Acked-by: Dan Carpenter <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>

show more ...

tee: amdtee: synchronize access to shm list

Synchronize access to shm or shared memory buffer list to prevent
race conditions due to concurrent updates to shared shm list by
multiple threads.

Fixes

tee: amdtee: synchronize access to shm list

Synchronize access to shm or shared memory buffer list to prevent
race conditions due to concurrent updates to shared shm list by
multiple threads.

Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Reviewed-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>

show more ...

tee: amdtee: fix memory leak due to reset of global shm list

The driver maintains a list of shared memory buffers along with their
mapped buffer id's in a global linked list. These buffers need to b

tee: amdtee: fix memory leak due to reset of global shm list

The driver maintains a list of shared memory buffers along with their
mapped buffer id's in a global linked list. These buffers need to be
unmapped after use by the user-space client.

The global shared memory list is initialized to zero entries in the
function amdtee_open(). This clearing of list entries can be a source
for memory leak on secure side if the global linked list previously
held some mapped buffer entries allocated from another TEE context.

Fix potential memory leak issue by moving global shared memory list
to AMD-TEE driver context data structure.

Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Reviewed-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>

show more ...

tee: amdtee: out of bounds read in find_session()

The "index" is a user provided value from 0-USHRT_MAX. If it's over
TEE_NUM_SESSIONS (31) then it results in an out of bounds read when we
call tes

tee: amdtee: out of bounds read in find_session()

The "index" is a user provided value from 0-USHRT_MAX. If it's over
TEE_NUM_SESSIONS (31) then it results in an out of bounds read when we
call test_bit(index, sess->sess_mask).

Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Acked-by: Rijo Thomas <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>

show more ...

tee: amdtee: fix memory leak in amdtee_open_session()

On these error paths the "sess" variable isn't freed. It's a refcounted
pointer so we need to call kref_put(). I re-arranged the code a bit so

tee: amdtee: fix memory leak in amdtee_open_session()

On these error paths the "sess" variable isn't freed. It's a refcounted
pointer so we need to call kref_put(). I re-arranged the code a bit so
the error case is always handled before the success case and the error
paths are indented two tabs.

Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Reviewed-by: Rijo Thomas <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>

show more ...

tee: fix memory allocation failure checks on drv_data and amdtee

Currently the memory allocation failure checks on drv_data and
amdtee are using IS_ERR rather than checking for a null pointer.
Fix t

tee: fix memory allocation failure checks on drv_data and amdtee

Currently the memory allocation failure checks on drv_data and
amdtee are using IS_ERR rather than checking for a null pointer.
Fix these checks to use the conventional null pointer check.

Addresses-Coverity: ("Dereference null return")
Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Signed-off-by: Colin Ian King <[email protected]>
Reviewed-by: Rijo Thomas <[email protected]>
Acked-by: Jens Wiklander <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>

show more ...

tee: amdtee: remove redundant NULL check for pool

Remove NULL check for pool variable, since in the current
code path it is guaranteed to be non-NULL.

Reported-by: Dan Carpenter <dan.carpenter@orac

tee: amdtee: remove redundant NULL check for pool

Remove NULL check for pool variable, since in the current
code path it is guaranteed to be non-NULL.

Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>

show more ...

tee: amdtee: rename err label to err_device_unregister

Rename err label to err_device_unregister for better
readability.

Suggested-by: Dan Carpenter <[email protected]>
Signed-off-by: Rijo T

tee: amdtee: rename err label to err_device_unregister

Rename err label to err_device_unregister for better
readability.

Suggested-by: Dan Carpenter <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>

show more ...

tee: amdtee: skip tee_device_unregister if tee_device_alloc fails

Currently, if tee_device_alloc() fails, then tee_device_unregister()
is a no-op. Therefore, skip the function call to tee_device_unr

tee: amdtee: skip tee_device_unregister if tee_device_alloc fails

Currently, if tee_device_alloc() fails, then tee_device_unregister()
is a no-op. Therefore, skip the function call to tee_device_unregister() by
introducing a new goto label 'err_free_pool'.

Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>

show more ...

tee: amdtee: print error message if tee not present

If there is no TEE with which the driver can communicate, then
print an error message and return.

Suggested-by: Dan Carpenter <dan.carpenter@orac

tee: amdtee: print error message if tee not present

If there is no TEE with which the driver can communicate, then
print an error message and return.

Suggested-by: Dan Carpenter <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>

show more ...

tee: amdtee: remove unused variable initialization

Remove unused variable initialization from driver code.

If enabled as a compiler option, compiler may throw warning for
unused assignments.

Repor

tee: amdtee: remove unused variable initialization

Remove unused variable initialization from driver code.

If enabled as a compiler option, compiler may throw warning for
unused assignments.

Reported-by: Dan Carpenter <[email protected]>
Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Signed-off-by: Rijo Thomas <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>

show more ...

tee: amdtee: check TEE status during driver initialization

The AMD-TEE driver should check if TEE is available before
registering itself with TEE subsystem. This ensures that
there is a TEE which th

tee: amdtee: check TEE status during driver initialization

The AMD-TEE driver should check if TEE is available before
registering itself with TEE subsystem. This ensures that
there is a TEE which the driver can talk to before proceeding
with tee device node allocation.

Cc: Ard Biesheuvel <[email protected]>
Cc: Tom Lendacky <[email protected]>
Acked-by: Jens Wiklander <[email protected]>
Co-developed-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Reviewed-by: Gary R Hook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>

show more ...

tee: add AMD-TEE driver

Adds AMD-TEE driver.
* targets AMD APUs which has AMD Secure Processor with software-based
Trusted Execution Environment (TEE) support
* registers with TEE subsystem
* defi

tee: add AMD-TEE driver

Adds AMD-TEE driver.
* targets AMD APUs which has AMD Secure Processor with software-based
Trusted Execution Environment (TEE) support
* registers with TEE subsystem
* defines tee_driver_ops function callbacks
* kernel allocated memory is used as shared memory between normal
world and secure world.
* acts as REE (Rich Execution Environment) communication agent, which
uses the services of AMD Secure Processor driver to submit commands
for processing in TEE environment

Cc: Ard Biesheuvel <[email protected]>
Cc: Tom Lendacky <[email protected]>
Acked-by: Jens Wiklander <[email protected]>
Co-developed-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Devaraj Rangasamy <[email protected]>
Signed-off-by: Rijo Thomas <[email protected]>
Reviewed-by: Gary R Hook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>

show more ...